Verify source code with cosign

[kpcyrd]

Hello!

cosign was brought up in the Arch Linux packaging channel and I was wondering if apko could be a good example package to document how to integrate cosign into a PKGBUILD.

Specifically, after downloading the source code from this url:

https://github.com/chainguard-dev/apko/archive/refs/tags/v0.14.1.tar.gz

How would I use cosign to authenticate this source code? Do I need to access a git object instead?

I noticed there are .sig and .crt files attached to the release, but they are all architecture specific (and same for the content of checksums.txt).

Input very welcome, thanks! :)

[krishjainx]

We have some good docs here: https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-verify-file-signatures-with-cosign/

~ on ☁️  krish.jain@chainguard.dev 
❯ cosign verify-blob \
  --signature https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz.sig \
  --certificate https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz.crt \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity "https://github.com/chainguard-dev/apko/.github/workflows/release.yaml@refs/tags/v0.14.7" \
  https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz
Verified OK

If you encounter any issues related to architecture-specific signatures and certificates, make sure that you are using the correct set of files for your specific architecture.

Feel free to reach out if this is still a problem.

[xnox]

https://github.com/chainguard-dev/apko/archive/refs/tags/v0.14.1.tar.gz is an automatically (on the fly) generated export tarball by github of the git tag.

It is not an artifact uploaded by our release workflows that signs binary artifacts using cosign.

Some commits and tags are at times signed with gitsign / cosign, however many commits are signed with ssh/gpg signatures instead.